The connection of computers and other equipment to networks permits easy and flexible access to the equipment by distributed users, provides efficient utilization of shared resources, and permits the equipment to be serviced from a centralized source. The ability to access equipment over a network, however, presents a number of security issues. Computers and other equipment often contain proprietary and/or sensitive information, which, if known to, or altered by, the competitors or customers of the owner of the equipment, could dramatically prejudice the owner. Thus, most networked equipment incorporate computer security techniques, such as database access control mechanisms, to prevent unauthorized users from accessing, obtaining or altering the proprietary and/or sensitive information stored on the equipment. In this manner, the integrity and confidentiality of the information can be maintained in the potentially hostile computing environment.
Authentication techniques allow remote users to prove their identity and obtain authorized access to remote equipment. A number of authentication protocols have been proposed or suggested to inhibit the unauthorized and illegal access of remote equipment. In one variation, a user has an associated alphanumeric personal identification number (PIN) or password, that is presumably known only to the authorized user. Upon accessing the remote equipment, the user provides the equipment with the appropriate password, to establish the authority of the user. Many users select a PIN or password that is easy to remember. Thus, there is a significant risk that such passwords may be guessed or otherwise compromised.
Recently, strong authentication tools, such as the Access Security Gateway Lock (ASG Lock.TM.), commercially available from the Business Communication Systems group of Lucent Technologies, Inc., of Basking Ridge, N.J., have been deployed in environments where large-scale remote access to remote equipment is required. Users of a remote device protected by an Access Security Gateway are assigned a secret key, presumably known only to the user and the remote device. The secret key may be stored, for example, on a pocket token or a computer-readable card. Upon attempting to access a desired remote device, the Access Security Gateway issues a random value, known as a "challenge," to the user. The user then generates an appropriate "response" to the challenge by encrypting the received challenge with the user's secret key (read from the pocket token or computer-readable card), using a known encryption algorithm, such as the data encryption standard (DES). The user transmits the calculated response to the desired remote device, and obtains access to the requested resources provided the response is accurate. In order to ensure that the pocket token or computer-readable card is being utilized by the associated authorized user, the user typically must also manually enter a secret alphanumeric PIN or password.
While such strong authentication tools have effectively reduced the unauthorized and illegal accessing of remote equipment, they suffer from a number of limitations, which if overcome, could dramatically increase the utility and effectiveness of such tools. For example, the requirement that the user must manually enter a PIN or password to ensure that the pocket token or computer-readable card is being utilized by the associated authorized user, requires the presence of a human user. Thus, such strong authentication tools cannot be utilized by expert tools to access remote equipment, without human intervention. In addition, current authentication systems do not perform an outbound access control to determine if users are authorized to leave the network environment to access remote equipment, regardless of whether they are authorized to access the remote equipment.
As apparent from the above-described deficiencies with conventional techniques for restricting access to remote equipment, a need exists for a centralized authentication system that securely generates one-time tokens to satisfy challenges posed by remote systems. Furthermore, a need exists for an authentication system that logs session records of all processed transactions to establish user accountability. Yet another need exists for a strong authentication tool that provides centralized outbound access control from a network to remote equipment. In addition, a need exists for an authentication system that allows automation at the expert system level.